What is the meaning of the output under the NAME tag of the lsof -i
command when it appears as such *:*
Example output:
The UDP *:* means you have processes on your system listening on all network interfaces for IPv4 UDP packets:
All IPv4 Addresses are represented by a * on the left of the colon
All ports are represented by a * on the right of the colon
You can test this by sending a batch of 5 UDP packets to one of your local addresses with netcat:
$ echo "data" | nc -w1 -u 127.0.0.1 1-5
While using lsof in repeat mode to show the UDP connection activity:
$ lsof -r1 -iUDP -P -n | grep -E "^nc"
nc 3197 root 3u IPv4 0x614d3be71aa32a89 0t0 UDP 127.0.0.1:57137->127.0.0.1:2
nc 3197 root 3u IPv4 0x614d3be71b503dc9 0t0 UDP 127.0.0.1:62455->127.0.0.1:3
nc 3197 root 3u IPv4 0x614d3be71bdbe351 0t0 UDP 127.0.0.1:52982->127.0.0.1:4
nc 3197 root 3u IPv4 0x614d3be71b6335b9 0t0 UDP 127.0.0.1:61450->127.0.0.1:5
Related
We have ubuntu server installed on our desktop machine. It is connected modem with ethernet port. We can access it with ssh via inside of our network. But can not from outside.
Here is what we've done so far:
We have static ip
My professor made this i dont know what it is
Our ubuntu server machine always picks 192.168.1.200
We have port forwarding
when I run ssh maviarge#213.XXXXXXX from our LAN which holds ubuntu server machine
maviarge#213.XXXXXXX's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 10 Mar 2022 08:45:36 AM UTC
System load: 0.07 Processes: 166
Usage of /: 2.0% of 438.13GB Users logged in: 1
Memory usage: 2% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp3s0: 192.168.1.200
Temperature: 50.0 C
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
But when I run ssh -v maviarge#213.XXXXXXX from outside of our wifi.
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\MaviArge/.ssh/config
debug1: Connecting to 213.XXXXXXX [213.XXXXXXX] port 22.
debug1: connect to address 213.XXXXXXX port 22: Connection timed out
ssh: connect to host 213.XXXXXXX port 22: Connection timed out
When I run ping 213.XXXXXXX from outside
Pinging 213.XXXXXXX with 32 bytes of data:
Reply from 213.XXXXXXX: bytes=32 time=67ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=97ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=107ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=124ms TTL=46
Ping statistics for 213.XXXXXXX:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 67ms, Maximum = 124ms, Average = 98ms
Saw this command on internet sudo lsof -i:22 and the output:
sudo lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 3290 root 4u IPv4 38814 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:58124 (ESTABLISHED)
sshd 3375 maviarge 4u IPv4 38814 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:58124 (ESTABLISHED)
sshd 4057 root 3u IPv4 71589 0t0 TCP *:ssh (LISTEN)
sshd 4057 root 4u IPv6 71591 0t0 TCP *:ssh (LISTEN)
sshd 5662 root 4u IPv4 74261 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:60472 (ESTABLISHED)
sshd 5746 maviarge 4u IPv4 74261 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:60472 (ESTABLISHED)
Also nmap scan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 05:17 EST
Nmap scan report for host-213.XXXXXXX.reverse.superonline.net (213.XXXXXXX)
Host is up (0.14s latency).
Not shown: 96 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
25/tcp filtered smtp
5060/tcp filtered sip
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
What's wrong?
have you try this
sudo ufw allow from any to any port 22 proto tcp
or
sudo ufw allow ssh
Google Firewall rules:
custom-allow-25 default 0.0.0.0/0 tcp:25 test
custom-allow-4447 default 0.0.0.0/0 tcp:4447 test
custom-allow-8080 default 0.0.0.0/0 tcp:8080 test
custom-allow-9443 default 0.0.0.0/0 tcp:9443 test
custom-allow-9999 default 0.0.0.0/0 tcp:9999 test
default-allow-http default 0.0.0.0/0 tcp:80 http-server
default-allow-https default 0.0.0.0/0 tcp:443 https-server
default-allow-icmp default 0.0.0.0/0 icmp
default-allow-internal default 10.128.0.0/9 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default 0.0.0.0/0 tcp:3389
default-allow-ssh default 0.0.0.0/0 tcp:22
Iptables:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
PREROUTING TEST:
DNAT tcp -- eth0 any anywhere anywhere tcp dpt:http to::8080
NETSTAT:
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN 1583/java
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 1583/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 689/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 824/master
tcp 0 0 127.0.0.1:4447 0.0.0.0:* LISTEN 1583/java
tcp 0 0 127.0.0.1:9443 0.0.0.0:* LISTEN 1583/java
tcp6 0 0 :::22 :::* LISTEN 689/sshd
tcp6 0 0 ::1:25 :::* LISTEN 824/master
tcp6 0 0 :::3306 :::* LISTEN 710/mysqld
When I do curl localhost:8080 everything works, but when I do
curl externalIP:8080
^C - hangs
curl externalIP:80
curl: (7) Failed to connect to XXXXXX port 80: No route to host
I can SSH to external IP without problem, Firewall rules in GCE are set to "ANY".
Any idea what I might be doing wrong?
EDIT:
Ive also enabled any address in jboss, so it listens on 0.0.0.0 - to no avail.
Apparently when you create new rules in google firewall, they arent working right away. Today Ive tried it, didnt change anything and it worked like charm.
I have a service listening to customer traffic on ports 80 and 443 of eth1. The servers hosting my service also host other admin/privileged access content on eth0 and localhost
I am trying to setup iptable rules to lock down eth1 on servers which is on same network as clients (block things like ssh through eth1/ accessing internal services running on port 9904 etc.) I also want to make sure that the rules dont forbid regular access to eth1:80 and eth1:443. I have come up with below rules but wanted to review with iptable gurus on possible issues with this rule.
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j DROP
Do the rules above suffice
How does above differ from the rules found when googling
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -j ACCEPT
-A INPUT -i eth1 -j DROP
thanks i got this answered in https://serverfault.com/questions/834534/iptable-rules-to-restrict-eth1-access-to-ports-80-and-443 , adding it here for completeness
The first set of rules first allow all incoming packets on your ports
80 and 443. Then it drops ALL other incoming packets (except those
already accepted).
The second set of rules first allow all incoming packets on ports 80
and 443. Then it drops incoming connections (excluding 80 and 443 that
are already accepted), which are packets with only the SYN flag set.
Then it allows all incoming packets.
The difference here is what happens to your OUTGOING connections. In
the first ruleset, if you attempt to connect to another server, any
packets that server sends in response will be dropped so you will
never receive any data. In the second case, those packets will be
allowed since the first packet from the remote server will have both
SYN and ACK set and therefore pass the SYN test, and any following
packets will not have SYN set at all, and therefore pass the test.
This has been traditionally done using conntrack which requires the
kernel to keep track of every connection in the firewall, with a
command like
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
that matches the incoming packet either to an existing connection, or
a connection related to some other existing connection (eg FTP data
connections). If you aren't using FTP or other protocols that use
multiple random ports, then the second ruleset achieves basically the
same result without the overhead of tracking and inspecting these
connections.
Is there any way on Linux to get detailed analysis of network traffic to and from a process . Detailed analysis means the data as provided by tcpdump, wireshark.
How about using lsof to get further information on the process?
lsof -c $process
to see what files and network connections that are used by the process.
lsof -i | egrep 'mongod.*LISTEN'
to grep for all connections to the mongod process. From this you can see what port the process is listening on
$ lsof -i | egrep 'mongod.*LISTEN'
mongod 64223 fred 6u IPv4 0xffffff80298fec20 0t0 TCP *:27017 (LISTEN)
mongod 64223 fred 7u IPv4 0xffffff8017393500 0t0 TCP *:28017 (LISTEN)
mongod 64224 fred 9u IPv4 0xffffff8014038500 0t0 TCP *:27018 (LISTEN)
mongod 64224 fred 10u IPv4 0xffffff801746f880 0t0 TCP *:28018 (LISTEN)
......
......
......
and so then run tcpdump on that port.
HTH!
I'm trying to capture tcp packets from a GPS device(client) configured to my server's 11050 port of eth1 interface. I wanna capture these packets to a file. The result is not in a human readable format. Below are list of the commands i tried with, but no results. please help...
tcpdump -w test.pcap -i eth1 tcp port 11050
tcpdump -i eth1 -X -s 11050 -w test1
test1, test.pcap both read the below!!!
��ق���ق���ʣ�N�%��S�U$��E�MO#5�&߶y?vf��6++�qe��>ۀ
tcpdump will write the captured data in a format suitable for re-parsing later with tcpdump, wireshark, Tshark, etc.
Re-read the file with tcpdump -r test.pcap and you'll get human-readable output:
$ tcpdump -r ./test.pcap
reading from file ./test.pcap, link-type EN10MB (Ethernet)
23:25:32.646075 ARP, Request who-has moxi-00067F274580 tell haig, length 28
23:25:32.646322 ARP, Reply moxi-00067F274580 is-at 00:06:7f:27:45:80 (oui Unknown), length 46
23:25:34.567932 IP haig.36941 > 192.168.0.1.domain: 36648+ A? www.google.com. (32)
...